Low-level Malware Trace??

Discussion in 'Windows Small Business Server' started by pd1215, Apr 6, 2004.

  1. pd1215

    pd1215 Guest

    I have a rogue mass-emailer program hiding somewhere on an
    BS2K3 box. Does not show up on virus scans. Only valid
    system processes are running. Registry keys are clean.
    Doesn't run in safe mode. Suspect it hijacked a valid
    system process. Tried re-installing IIS/Exchange. Seemed
    to stop until I re-ran the Connect to Internet wizzard.
    BadMail queue increases by 1K msgs a minute. Box is
    completely isolated from network. No open relay on
    Exchange.

    BadMail continues to generate even w/all Exchange svcs
    stopped (just at a slower rate). The program invokes
    Store.exe and Inetinfo.exe constantly. Anyone know a way
    to invoke advanced logging to trace back to the program
    that generates the BadMail? How about HOW to examine a msg
    in the BadMail queue (reader/viewer app)??
     
    pd1215, Apr 6, 2004
    #1
    1. Advertisements

  2. You can open the files in the badmail folder in Notepad/Wordpad. There are
    3 files for each message (.bad, .bdp, and .bdr).

    - The .BAD file is the actual message that is in native SMTP format. It is
    just a Text file.

    - The .BDP file is the Diag message pointing back to a local .EML which is
    an NDR.
    (It is mostly in binary but some of it is readable)

    - The .BDR file is the body of the NDR, giving the Error code and
    recipient/originator.


    Run msconfig, check the Services and Startup tabs for anything unusual. It
    helps to have a working or default server install to compare to.

    Chris Puckett, MCSE
    Microsoft Small Business Server Support


    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Chris Puckett [MSFT], Apr 6, 2004
    #2
    1. Advertisements

  3. not necessarily. root-kits for windows regularly create processes and
    hide them from the normal windows tools.
    wipe the server clean and reinstall (not restore from backup).
    the .bad file probably contains the original message with headers.
     
    Rich Matheisen [MVP], Apr 7, 2004
    #3
  4. The badmail folder is where messages go that cannot be delivered. This
    folder is configured in the properties of the Default SMTP Virtual Server
    and stored in the IIS Metabase. If the SMTP service is running, that may
    be all the program needs unless it has its own SMTP engine. Try stopping
    the SMTP service and see if files are still added to the badmail folder.

    You should start by opening the .bad files and reading the headers to see
    what IP address the mail messages are coming from.

    You could enable logging in the properties of the default smtp virtual
    server on the general tab. It may have already been enabled. If so, the
    default location for the log files is the
    windows\system32\logfiles\smtpsvc1 folder. It will show you which IP
    address the email is originating from.

    You can run the command < netstat -an | find ":25" > to see what
    connections are established to port 25 on the server.

    You can download the fport utility from www.foundstone.com to see the same
    information as netstat plus it will show the process of the owning
    application.


    Chris Puckett, MCSE
    Microsoft Small Business Server Support


    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Chris Puckett [MSFT], Apr 7, 2004
    #4
  5. pd1215

    pd1215 Guest

    Thanks again for the info! I'll try this out - otherwise,
    may be looking at a clean install. :[
     
    pd1215, Apr 7, 2004
    #5
  6. pd1215

    pd1215 Guest

    Rich,

    Thanks for mentioning "root-kits" for windows! I
    intuitively knew there was something like this going on,
    but didn't know what to call it. I'll do some research on
    it.
     
    pd1215, Apr 7, 2004
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.